Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Information Security Standards

Information Security Standards

Ratings: (0)|Views: 325|Likes:

More info:

Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Information Security Standards
Dan Constantin Tofan
 Academy of Economic Studies Bucharest Romana Square, district 1, Bucharest 010374,ROMANIAtofandan@yahoo.com 
The use of standards is unanimously accepted and gives the possibility of comparing a personalsecurity system with a given frame of reference adopted at an international level. A good example is the ISO9000 set of standards regarding the quality management system, which is a common reference regardless of theindustry in which a certain company activates. Just like quality control standards for other industrial processessuch as manufacturing and customer service, information security standards demonstrate in a methodical andcertifiable manner that an organization conforms to industry best practices and procedures. This article offers a
review of the world’s most used information security standards.
Information Security Standards, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 17799, COBIT, NIST SP-800 series, Federal Office for Information Security (BSI), ISF
Standard of good practice for InformationSecurity.
1. What is an informationsecurity standard?
Generally speaking a standard, whether itis an accountability standard, a technicalstandard or an information securitystandard, it represents a set of requirements that a product or a systemmust achieve. Assuming the conformity of a product or system with a certainstandard demonstrates that it fulfills all the
standard’s specifications.
 There are currently some primarystandards in place governing informationsecurity.First of them is the ISO/IEC 27000 seriesof standards. It is the most recognizablestandard as it bears the internationallyprestigious name of the InternationalOrganization for Standardization and theInternational Electrotechnical Commission.It was initiated by British StandardInstitute in 1995 through BS7799(Information Security ManagementSystem), and later was taken over by theISO (International Organization forStandardization) and released under thename of ISO/IEC 27000 series (ISMSFamily of Standards) and ISO/IEC
17799:2005 “Information Technology –
 Code of practice for information security
management”. Secondly, there is the NIST
SP800 group of standards, published bythe National Institute of Standards andTechnology (NIST) from USA.Another information security standard isthe Information Security Forum's Standardof Good Practice for Information Security.This document also includes a descriptionof COBIT and BSI Standards 100 series.Due to the lack of space otherinternational security standards like ITILcould not be presented.
2. Why do we need aninformation security standard?
The use of standards is unanimouslyaccepted and gives the possibility of comparing a personal security system witha given frame of reference adopted at aninternational level. A good example is theISO 9000 set of standards regarding thequality management system, which is acommon reference regardless of theindustry in which a certain companyactivates.Standards ensure desirable characteristicsof products and services such as quality,safety, reliability, efficiency and
This is a post conference paper. Parts of this paper have been published in theProceedings of the 3
International Conference on Security for InformationTechnology and Communications, SECITC 2010 Conference (printed version).
Journal of Mobile, Embedded and Distributed Systems, vol. III, no. 3, 2011
ISSN 2067
 interchangeability - and at an economicalcost.We need information security standards inorder to implement information securitycontrols to meet an organizationsrequirements as well as a set of controlsfor business relationships with otherorganizations and the most effective wayto do this is to have a common standardon best practice for information securitymanagement such as ISO/IEC17799:2005. Organizations can thenbenefit from common best practice at aninternational level, and can prove theprotection of their business processes andactivities in order to satisfy businessneeds.Anyone responsible for designing orimplementing information security systemsknows that it can sometimes be difficult todemonstrate the effectiveness of theirsolutions, either to their organization'sdecision makers, or to its clients. Decisionmakers need to know that the budgetsthey assign are being directed atworthwhile targets, while clients demandthe sense of confidence that comes withknowing their sensitive data andconfidential details are in safe hands.This is where the role of informationsecurity standards becomes essential.Similarly to quality control standards forother industrial branches such as customerservice, information security standardsdemonstrate in a methodical andcertifiable manner that an organizationconforms to industry best practices andprocedures.
3. The ISO/IEC 27000 standardsseries
The International Organization forStandardization (Organizationinternationale de normalization), known asISO, is an international-standard-settingbody composed of representatives fromvarious national standards organizations.Founded on 23 February 1947, theorganization promulgates world-wideproprietary industrial and commercial
standards. ISO’s headquarters are in
Geneva, Switzerland ISO is defined as anon-governmental organization, but itsability to set standards that often becomelaw, either through treaties or nationalstandards, makes it more powerful thanmost non-governmental organizations.The ISO International Standards arepublished in accordance with the followingformat: ISO[/IEC][/ASTM] [IS]nnnnn[:yyyy] Title, where nnnnn is thenumber of the standard, yyyy is the yearpublished, and Title describes the subject.IEC stands for InternationalElectrotechnical Commission and isincluded if the standard results from thework of ISO/IEC JTC1 (the ISO/IEC JointTechnical Committee). For standardsdeveloped in cooperation with ASTMInternational, ASTM is used.ISO has 157 national members, out of the195 total countries in the world. ISO hasthree membership categories:
Member bodies
are national bodies thatare considered to be the mostrepresentative standards body in eachcountry. These are the only members of ISO that have voting rights.
Correspondent members
are countriesthat do not have their own standardsorganization. These members are informedabout ISO's work, but do not participate instandards promulgation.
Subscriber members
are countries withsmall economies. They pay reducedmembership fees, but can follow thedevelopment of standards.The ISO/IEC 27000-series (also known asthe 'ISMS Family of Standards' or 'ISO27k'for short) comprises information securitystandards published jointly by theInternational Organization forStandardization (ISO) and theInternational Electrotechnical Commission(IEC). The series providesrecommendations on information securitymanagement, risk handling and controlsimplementation within the context of anoverall Information Security ManagementSystem (ISMS). Management systems forquality assurance (the ISO 9000 series)and environmental protection (the ISO14000 series) are also similar in design tothe ISO/IEC 27000- series of standards.The series is applicable to organizations of all shapes and sizes covering more than just privacy, confidentiality and IT ortechnical security issues.The first of the 27000 series of standards(27001) was published in 2005. However,
 its predecessor -- ISO/IEC 17799 - datesback to 2000, a time when the growth of the Internet caused a rapidly increasingawareness of the importance of security inthe IT industry.There are currently four publishedstandards in the series: 27001, 27002,27005 and 27006. Ten more are at variousdraft stages.
3.1. ISO/IEC27001
The 27001 standard sets out the stepsrequired for an organization's InformationSecurity Management Systems (ISMS) toachieve certification. The standardspecifies seven key elements in thecreation of a certified ISMS. These are toestablish, implement, operate, monitor,review, maintain and improve the system.As a management standard it doesn'tmandate the use of specific controls somuch as specify the managementprocesses required to identify controls thatare appropriate to the organization.It is intended to be used along withISO/IEC 27002 (formerly ISO/IEC 17799),the Code of Practice for InformationSecurity Management, which lists securitycontrol objectives and recommends arange of specific security controls.Organizations that implement an ISMS inaccordance with ISO/IEC 27002 are likelyto simultaneously meet the requirementsof ISO/IEC 27001 but certification isentirely optional.
3.2. ISO/IEC 27002
ISO/IEC 27002 is an information securitystandard published by the InternationalOrganization for Standardization (ISO) andthe International ElectrotechnicalCommission (IEC) as ISO/IEC 17799:2005and subsequently renumbered ISO/IEC27002:2005 in July 2007, bringing it intoline with the other ISO/IEC 27000-seriesstandards. It is entitled Informationtechnology - Security techniques - Code of practice for information securitymanagement. The current standard is arevision of the version first published byISO/IEC in 2000, which was a word-for-word copy of the British Standard (BS)7799-1:1999.The purpose of the 27002 standard is toset out a structured set of literallyhundreds of information security controls,the use of which will help to achieveconformity with 27001. However, it is notan compulsory list: organizations are freeto implement controls not specificallylisted, so long as they are effective andconform to the requirements outlined in27001.ISO/IEC 27002 provides best practicerecommendations on information securitymanagement for use by those who areresponsible for initiating, implementing ormaintaining Information SecurityManagement Systems (ISMS). Informationsecurity is defined within the standard inthe context of the C-I-A triad: thepreservation of 
(ensuringthat information is accessible only to thoseauthorised to have access),
(safeguarding the accuracy andcompleteness of information andprocessing methods) and
(ensuring that authorised users haveaccess to information and associatedassets when required).ISO/IEC 27002 contains best practices andsecurity controls in the following areas of information security management:
security policy;
organization of information security;
asset management;
human resources security;
physical and environmental security;
communications and operationsmanagement
Access control;
Information systems acquisition;
development and maintenance;
information security incidentmanagement;
business continuity management;
3.3. ISO/IEC 27005
ISO/IEC 27005:2008 provides guidelinesfor information security risk management.It supports the general concepts specifiedin ISO/IEC 27001 and is designed to assistthe implementation of information securitybased on a risk management approach.Knowledge of the concepts andterminologies described in ISO/IEC 27001and ISO/IEC 27002 is very important for a

Activity (2)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->